Motor industry faces growing threat of cybersecurity attacks
As today’s cars turn increasingly connected, they become easier targets for hackers
“When cars are more connected, criminal hackers have a bigger reach.” Photograph: iStock
In the summer of 2015, the motor industry was rocked by a series of high-profile car hacks that remotely unlocked car doors, turned on windscreen wipers, interfered with steering and even stopped a Jeep Cherokee in its tracks on the highway.
The industry already knew that any device with an internet connection could be hacked and that as cars became increasingly connected they could easily become a prime target for those with malicious intent. Despite this, many automakers were slow to secure their vehicles and the audacity of the Jeep hackers – who reportedly spent three years developing their technique – caught people on the hop and led to the recall of 1.4 million vehicles in the United States.
This incident, which auto analyst IHS Markit estimates cost Fiat Chrysler $45.5 million (€37 million), exposed a major vulnerability and underlined the extent to which the auto industry was trailing consumer electronics when it came to security.
The Jeep hack was high profile, but as IHS points out, most major automakers including Ford, General Motors, Toyota and VW have all had vehicles hacked in one way or another. And it’s not just an issue for long established manufacturers. Even high-tech newcomers such as Tesla are not immune.
Control the brakes
In 2016, a team of Chinese researchers were able to breach the security of the Tesla Model S and take remote control of the brakes, door locks, infotainment screen and other features from 12 miles away. The hackers’ target was the car’s controller area network – the cluster of connected computers present inside almost all cars today – which operates everything from the lights to the electric windows. Tesla fixed the weak spot with an over-the-air software update and is one of the most pro-active manufacturers when it comes to encouraging hackers to find flaws. It even rewards them with cash for doing so.
“When cars are more connected, criminal hackers have a bigger reach,” explains Alexander Kocher, president and managing director of embedded software solutions company Elektrobit. “They can gain full access to the car and even manipulate fleets, which can potentially do much more damage. For example, it would be possible to stop an entire fleet on the road. Criminals could hold vehicles hostage and ask for ransom or manipulate the vehicle to cause a fatality.”
The summer of 2015 was a wake-up call for the industry that resulted in a brisk upsurge in activity within the automotive cybersecurity sector. Despite big growth in the last two years, however, this industry is still in its infancy and there are potentially lucrative pickings for companies that can get in on the ground floor. In particular, there is real scope for innovative thinkers who can fill in the gaps in the cybersecurity jigsaw.
It’s a complex field not least because like Hydra, it has many “heads” and spans software, hardware, data, networks and the cloud. Cost containment is an issue as is how to integrate solutions, such as layered encryption, into existing architectures. There are also issues around controlling the sub supply chain, safeguarding the connected car loop and ensuring that even if a vehicle is hacked it can continue to function.
The push to secure connected vehicles has led to an unprecedented level of inter-manufacturer co-operation and partnerships with legacy suppliers as well as a flurry of big acquisitions by the major players. Further down the food chain there has also been a feeding frenzy with numerous cyber-savvy and IT start-ups being snapped up by larger suppliers keen to access their leapfrog technologies to address limiting issues such as the big shortfall in software capability within the industry. Leading the charge in terms of cybersecurity innovation is Israel, which currently has an estimated 50+ young companies working in the space across different industries with more to come.
Colin Bird, a senior automotive technology analyst at IHS Markit in the US, estimates that revenues in the sector “will crest over $30 million at the end of 2017, but will balloon to more than $2 billion by 2024. About 90 per cent of the dots remain to be joined so there is huge opportunity. Out of a potential market of 100 per cent, fulfillment is currently 4 to 5 per cent,” he tells The Irish Times.
At the moment automotive cybersecurity is primarily focused on three main markets: North America, western Europe and Japan. Those already well positioned to reap the rewards of the anticipated boom unsurprisingly include leading automotive suppliers such as Bosch, Harman and Continental as well as Honeywell and the multinational networking company, Cisco. Thereafter, it’s largely open season and Bird describes the sector as “still very much the Wild West”.
Krishna Jayaraman, an automotive connectivity specialist at analyst Frost & Sullivan, says that automotive companies currently spend a modest three to seven per cent of their IT budgets on security but that this is going to grow dramatically as “investments to acquire software services and security capabilities continue to gain momentum with security becoming part of R&D budgets”.
Indeed, the process is already under way. In 2015-2016, Harman spent over $1 billion (€810 million) buying TowerSec, Red Bend software and Symphony Teleca while Continental bought Israeli-owned cybersecurity company, Argus, for a reported $400 million (€325 million) in November last year.
The Jeep hack also prodded action from legislators who suddenly realised that as most vehicles will have some level of connectivity by 2020, they needed to take a position on where they believe the responsibility for security lies, especially when things go wrong. As a result, laws and position papers are coming thick and fast with the EU’s cybersecurity agency reportedly looking at issuing certificates to connected cars similar to those used in other critical areas such as food safety.
Legislators seem to be taking the view that the buck stops with the industry and more particularly with its senior executives. As of August last year the UK government’s stated position was that cybersecurity should be owned, governed and promoted at board level. “We are already seeing initiatives whereby the top management of the companies delivering these cybersecurity programmes will be personally liable,” says Elektrobit’s Kocher.
In an effort to get ahead of the hackers, the auto industry set up the Automotive Information Sharing and Analysis Center in 2015. Its role is to identify and track potential cyber threats.
That said, Kocher admits, “we recognise that having 100 per cent cybersecurity is not a reality”. What Kocher wants to see, however, is a situation where hacks can be contained as quickly as possible. “There are different technologies available such as intrusion detection software and anomaly detection,” he says.
“Then you need technology that can analyse this information very quickly to try to protect the vehicle from the attack and also fix the leak wherever it is. The target is to stop a hack is within hours when you have a well-designed system.”